It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Reviewing Incidents

  • Last updated on

The Incidents page displays all incidents for your Barracida account, along with the suspicious email associated with each incident.  

You can consider the Incidents page to be like a dashboard. Charts at the top of the page enable you to visualize the last six months of incidents and threats for your organization. Hover over a value in a chart to see the specific data. 

  • Incidents Created – Displays the number of incidents you created in the last six months. Data updated once per day.
  • Threats Remediated – Displays the number of threats remediated by Incident Response in the last six months. Data updated once per day.
  • Top 5 Attacked Users – Shows the five users in your organization who have received the most attacks. Data is updated once per day. You might consider evaluating why these users are attacked repeatedly and equip them with proper training in identifying threats and reporting them promptly. Barracuda recommends Barracuda's Security Awareness Training.   
    Note that if you have fewer than five users, fewer than five users are displayed. 

Note that after an email has been remediated in any way, that email will only be visible from within the incident on the Incidents page. The email will no longer appear in searches, on the location map, or in user-reported emails.

To review incidents:

  1. Log into Incident Response
  2. In the left pane, click the menu (menuIcon.png) icon to toggle the menu, and click Incidents.
  3. On the Incidents page, locate the incident you want to investigate and click View Incident.
  4. At the top of the page, view basic information about the incident, including your search criteria and how many messages were received by unique recipients. You can also view a list of remediation actions you chose to take on the reported incident displays.
    Note that you cannot turn on Continuous Remediation if you did not choose to delete messages when you created the incident.
  5. Review, or optionally, add one or more custom Tags to this incident so you can easily identify it later. In the upper-right corner of the page, click in the Tags field, type a tag, then press Enter. Repeat this process for additional tags. For more information, refer to the Tags section below.   
  6. Select the Email tab to view information about the emails involved in the incident. Click Export to CSV to export all of the data – from all of the tabs – for this incident.
    To focus on the information you want to find, you can choose to take the following actions:
    • Sort: Click a column heading to sort by that column. The first click sorts in ascending order. Click again to reverse the sort order to descending order. Click a different column heading to sort by that column instead. Note that you cannot sort by the Status column. 
    • Filter: In a column heading, click the three dots 3dots.png to specify filtering information for that column. Select whether you want a value to contain or not to contain the value you enter. Click Filter to apply the filter. You can apply filters to one or more columns. Columns with a filter applied display with a colored background. To clear a filter, click the three dots 3dotsBlue.png, then click Clear. Note that you can only filter the Status column by Remediated/Not Remediated. You cannot filter the Received Date column. 

    Data displayed: 

      • Dates emails were received
      • Whether the email was inbound (to your organization) or outbound (from your organization)
      • Sender emails
      • Affected Mailboxes (members of your organization affected by this incident)
      • Subjects
      • Status of actions taken, if any
        Status options include:

        success.png

        Email successfully removed from the user's inbox, or

        User removed email from their inbox

        notremoved.png

        Email could not be removed from the user's inbox

         

        CRremoved.pngEmail successfully removed from the user's inbox during Continuous Remediation
        CRfail.pngEmail could not be removed from the user's inbox during Continuous Remediation
        inProgress.png

        Actions pending

        noAction.pngNo remediation actions taken for this inbox/user
    A paper clip clip.png displays if the email has an attachment. You can see the attachment when you view the email. 
  7. Click the plus icon plusIcon.png at the far left of a row to view a copy of the email in question, along with its header information, threat details, and attachments, if any.
  8. Select the Users tab to view users involved in this incident and whether they:
    • Clicked on a link within the email – Requires that Link Protection in Barracuda Email Security Service is turned ON when the email is received. 
      Undetected: Barracuda Email Security Service does not process internal emails, so they appear as Undetected in Incident Response. 
    • Opened the email
    • Replied to the email or Forwarded the email 
      Undetected: Note that some values for Replied to Email or Forwarded Email might display as Undetected. This can happen if there is more than one email in an incident and it is not possible for Incident Response to be able to detect whether a user replied to or forwarded one of the specific messages. 
  9. Select the Threats tab, if it is present. The Threats tab appears only for incidents that were resolved through automatic remediation. It displays:
    • For malicious links: The malicious URL that was included in the email, the type of attack the URL is identified to be, and the actual path of the malicious URL. 
    • For malicious attachments: The attachment name, the category of malicious attachment, and any details about the attachment.
  10. Select the Clicked Links tab. For one or more emails related to this incident, it displays:
    • Received Date – The date emails were received. 
    • Users Involved – One or more users who received the emails.
    • Message ID – Barracuda's unique identifier for emails.
    • Subject – The subject line of the emails. 
    • Clicked Link – Whether the user clicked a link in the email. 
    • ClickedIP – The target IP address of the link clicked by the user.
    • Clicked User Agents – Information associated with each user's browser that was used to click the link. 
    Note that if one user in a group of multiple recipients clicks a link, this table displays that the link was clicked, but not necessarily by which recipient. 
  11. Click the Incidents breadcrumb at the top of the page, use the menu to select Incidents, or use your browser's Back button to return to the Incidents page.
Creating an Incident

Creating an incident is available only with Incident Response. For more information, see Overview of Email Protection Plans.

To create a new incident from within the Incidents  page, refer to Creating an Incident .     

Tags

You can add custom tags to your incidents to help you remember them later. For example, you might choose to add tags like finance team or extortion attempt. Tags are available in the following locations within Incident Response. You can only create and delete tags in certain locations. 

Location/ActionAvailableView TagsCreate/Delete Tags
Creating an incidentPremium and Premium Plus planscheck.pngcheck.png
Reviewing incident detailsAll planscheck.pngcheck.png
Reviewing table on the Incidents pageAll planscheck.png 


To create a tag:

Click in the Tags field and type a tag, then press Enter. Repeat this process for additional tags. 
You can use tags you defined previously by clicking in the Tags  field and selecting from the Tags displayed in the list.

To delete a tag:

Click the associated X icon for that tag. 

Tags can include up to 100 letters, numbers, and spaces.

Last updated on